[00:09.460 --> 00:20.740]  Today's main topic is that it should be a relatively rare type of attack, that is to say, I let you go to my account, but it can produce some attacks on you in some scenarios.
[00:25.060 --> 00:34.980]  After that, a brief self-introduction, my website name is DaiziBuKaikou, and then ChengShuWenZhong, these are some of my embarrassing characters, I won't write them down.
[00:35.020 --> 00:46.580]  And then I've been familiar with web security for a few years, and I've worked in a lot of internet companies, and I've worked in some new prisons.
[00:46.580 --> 00:56.540]  And now I'm working in the system network security department at MaYe. To sum up, because I'm more familiar with web security, so I'm now working in network security.
[00:56.780 --> 01:01.920]  The reason I came up with this topic is because I used to find a lot of leaks on other people's accounts.
[01:02.360 --> 01:14.420]  I mentioned this on WuYun a few years ago, I mentioned some leaks, basically, including all kinds of internet companies, that is, you click and I'll go to my account or hijack your account.
[01:14.420 --> 01:20.380]  And then I always feel that if you find these loopholes on other people's accounts, you have to pay them back.
[01:22.240 --> 01:27.320]  Although one day I found out, I said, why don't I let other people go to my account, right?
[01:27.320 --> 01:35.100]  And then I changed my mind, and in my life, I often give some of my training members to others.
[01:35.160 --> 01:43.660]  Including one of my European friends, he likes to go to a website called TangBuRe, I don't know if you know about it.
[01:45.820 --> 01:51.100]  It's a website that shares pictures and videos of some netizens.
[01:51.520 --> 01:57.640]  There are a lot of good things on it, and then my friend can't get on it.
[01:57.640 --> 02:00.160]  He said, you help me get it, and then I helped him get it done.
[02:00.160 --> 02:03.120]  And then he didn't understand English, and I helped him register an account.
[02:03.880 --> 02:12.740]  And then, after a while, I suddenly opened this account again one day, and I suddenly found a lot of wonderful accounts on it.
[02:12.740 --> 02:16.680]  And for me, I got a lot of happy nights.
[02:16.760 --> 02:20.900]  I didn't do anything, I put my account on someone else's account, and I got some benefits.
[02:21.120 --> 02:27.220]  This thing, even some of you think, maybe sometimes, for example, you help some of your elders or friends,
[02:27.220 --> 02:32.060]  For example, when Apple ID, Apple phone, he won't use it, you help him with your account.
[02:32.060 --> 02:35.660]  Maybe one day you will find that many of his photos are synchronized with yours.
[02:35.740 --> 02:39.420]  So you think from the side, this is a kind of...
[02:39.420 --> 02:45.180]  For me, as the user of this account, I may have gotten some benefits.
[02:45.180 --> 02:47.360]  This may also produce some attack scenes.
[02:47.360 --> 02:52.340]  Today, I may mainly talk about some accounts in various scenarios.
[02:52.440 --> 02:56.620]  The victim logged into my attacker's account and produced some attacks.
[02:59.080 --> 03:02.660]  And then, so you think about it, its essence is like this.
[03:02.660 --> 03:05.580]  What I just said is that the other party knows about my account.
[03:05.600 --> 03:09.080]  If the other party is unaware, he may say that some of his photos
[03:09.080 --> 03:11.200]  or some of the things he sees are known by me.
[03:11.200 --> 03:16.480]  So if the victim logs into the attacker's account unknowingly,
[03:16.480 --> 03:20.400]  the attacker controls the account and controls the input of the content of this account.
[03:20.680 --> 03:25.460]  Including the victim's environment, the input of this account,
[03:25.460 --> 03:29.440]  this interaction may cause some attacks on the victim.
[03:30.380 --> 03:38.120]  For example, stealing login certificates, fishing, stealing privacy,
[03:39.600 --> 03:43.780]  polluting, even framing, including the identity of some A code,
[03:44.660 --> 03:47.820]  there will be examples later. Today, I mainly talk about this.
[03:51.380 --> 03:55.260]  Of course, everyone will say that the other party will not be so stupid to log into your account.
[03:55.260 --> 04:01.960]  So we must be using some attacks to log into our account.
[04:02.900 --> 04:05.880]  The simplest thing is to log into the C-SERV loophole.
[04:05.880 --> 04:12.680]  In fact, most of our login requests basically do not do C-SERV protection.
[04:12.680 --> 04:16.400]  Because in China, it is basically done under the user login state.
[04:16.400 --> 04:19.460]  It will plant a C-SERV token according to its drawing,
[04:19.460 --> 04:22.820]  or give a random number directly in the cookie.
[04:22.980 --> 04:25.240]  So generally this is not done.
[04:26.900 --> 04:28.220]  Then this is not done.
[04:28.220 --> 04:33.020]  If you know about C-SERV loopholes, you know that you can use a simple POS request
[04:33.020 --> 04:36.220]  to complete the login request.
[04:37.000 --> 04:44.180]  Even if you use a text message code, you can even let it log in.
[04:44.180 --> 04:46.180]  You can apply for a text message code here.
[04:46.360 --> 04:48.940]  If the protection of this aspect is not good,
[04:48.940 --> 04:53.740]  you can put the text message code in and let it complete the login request.
[04:55.080 --> 04:58.540]  And if the login list is not a problem,
[04:58.540 --> 05:00.880]  there is also a very common one.
[05:01.380 --> 05:03.980]  In fact, when most people complete the login,
[05:03.980 --> 05:05.480]  it is actually in the cookie.
[05:05.480 --> 05:08.740]  For example, Session or SID, etc.
[05:08.740 --> 05:10.900]  This kind of authentication cookie.
[05:10.960 --> 05:13.540]  Then if we find a website with such a...
[05:14.580 --> 05:17.960]  Some websites will have such a SetCookie interface.
[05:17.960 --> 05:20.920]  Maybe it can only control the key or control the value.
[05:20.920 --> 05:22.860]  Or some can even control it all.
[05:23.540 --> 05:25.100]  If you find such an interface,
[05:25.100 --> 05:30.020]  you can give it a SetCookie directly.
[05:30.020 --> 05:31.900]  Let it log in to your account.
[05:32.540 --> 05:34.580]  There are even some scenarios.
[05:34.580 --> 05:39.360]  There is a loophole called CRLF.
[05:40.620 --> 05:46.200]  You can also let it complete the SetCookie behavior in the response.
[05:47.940 --> 05:51.400]  Then there is the third one.
[05:51.400 --> 05:54.360]  There is also a link login certificate.
[05:54.360 --> 05:54.920]  How do you say this?
[05:54.920 --> 06:00.560]  That is to say, some seeds may be from the single-point login,
[06:00.560 --> 06:03.200]  from the SSO or Passport page.
[06:03.880 --> 06:05.540]  After the single-point login is completed,
[06:06.100 --> 06:08.160]  the SSO will pass a token to it.
[06:08.160 --> 06:10.260]  Then complete the login of this domain.
[06:10.260 --> 06:12.360]  Then we can use such a link directly.
[06:12.360 --> 06:14.420]  Send the token we obtained directly to it.
[06:14.420 --> 06:15.960]  Let it complete such a login.
[06:18.670 --> 06:21.110]  Then there are also those QR code scans that are often seen now.
[06:21.110 --> 06:24.110]  You can also simulate locally and scan this QR code.
[06:24.110 --> 06:27.590]  The logic of its QR code login is my local QR code.
[06:27.590 --> 06:29.750]  Then go to the service end and ask.
[06:29.750 --> 06:32.630]  Ask if this QR code has been authorized by the phone end scan.
[06:32.630 --> 06:34.090]  Keep asking. Asked to be authorized.
[06:34.090 --> 06:39.450]  Then the service end will return it a link with this certificate.
[06:39.850 --> 06:41.510]  Then it completes the login in this page.
[06:42.110 --> 06:45.370]  Then we can simulate locally and get this link directly.
[06:45.370 --> 06:47.510]  Send it to the other party to log in.
[06:47.930 --> 06:48.830]  Like these requests,
[06:48.830 --> 06:53.470]  it didn't do a similar source request verification.
[06:53.470 --> 06:55.370]  As long as you send it directly, you can basically complete it.
[06:55.370 --> 06:58.990]  I see that some examples can basically complete the login directly.
[06:59.550 --> 07:00.370]  Then there is another one.
[07:00.510 --> 07:04.830]  If the account of this website has no problems with logging in.
[07:04.950 --> 07:07.730]  But there may be a third party call to log in.
[07:07.850 --> 07:09.430]  For example, I can't log in to your account.
[07:09.430 --> 07:13.070]  For example, let's take a dog station.
[07:13.070 --> 07:14.170]  I can't log in to the dog station.
[07:14.170 --> 07:16.210]  But the dog station may be bound.
[07:17.350 --> 07:18.850]  For example, there is a Weibo login.
[07:18.850 --> 07:21.310]  I can let it log in to my Weibo account first.
[07:21.310 --> 07:24.490]  Then use its third-party login interaction request.
[07:24.630 --> 07:28.330]  It can also realize its third-party login.
[07:28.330 --> 07:30.610]  Then realize the login to its dog station.
[07:32.750 --> 07:34.350]  Of course, the last and most common way.
[07:34.350 --> 07:35.530]  When you can't do everything.
[07:35.530 --> 07:36.930]  There is also a social engineering.
[07:36.930 --> 07:39.690]  For example, you can go to his house and chat with him.
[07:40.430 --> 07:42.470]  Pretend to invite him to dinner.
[07:42.470 --> 07:45.670]  Then go to his house and get his browser directly.
[07:45.670 --> 07:47.010]  Of course, there are some more scenes.
[07:47.010 --> 07:52.950]  Including browsers, routers, and some smart home devices.
[07:52.950 --> 07:54.650]  You can log in directly through this method.
[07:55.270 --> 07:59.030]  When ordinary people use it, they may not pay attention to these devices.
[07:59.030 --> 08:00.670]  There is also a detail called binding account.
[08:07.620 --> 08:09.080]  If the other party logs in to our account.
[08:09.080 --> 08:11.920]  So let's see what kind of scene it is.
[08:11.920 --> 08:13.480]  Let me list it roughly first.
[08:13.480 --> 08:16.620]  That is to say, from the degree of the victim to the attacker.
[08:17.760 --> 08:21.120]  In fact, when the attacker controls the account.
[08:21.120 --> 08:25.900]  What he can control is that I can read and write things from this account.
[08:25.900 --> 08:28.240]  Even what I used to write.
[08:28.240 --> 08:29.600]  This thing is on your page.
[08:29.600 --> 08:32.880]  For example, there is a called cfxs.
[08:32.880 --> 08:34.900]  That is to say, the content I wrote.
[08:34.900 --> 08:37.060]  There is even a greater code execution right.
[08:37.300 --> 08:40.020]  I will introduce cfxs alone later.
[08:40.020 --> 08:44.500]  This loophole is basically what everyone thinks is a cumulative loophole.
[08:44.500 --> 08:46.800]  And then on the victim's side.
[08:47.000 --> 08:49.620]  Some of his behavior interacts with my account.
[08:49.840 --> 08:52.680]  There will be various functional scenarios.
[08:52.680 --> 08:54.020]  Will be listed at the end.
[08:57.820 --> 09:03.300]  Then the first one is that we log in to the general attacker's website account.
[09:04.620 --> 09:06.820]  For example, his online behavior.
[09:07.300 --> 09:08.460]  What is online behavior?
[09:08.460 --> 09:11.160]  That is to say, my user unknowingly logs in to your attacker's account.
[09:11.160 --> 09:12.700]  For example, a search engine.
[09:12.700 --> 09:15.780]  For example, Google has had a loophole before.
[09:15.780 --> 09:19.580]  That is to say, I let you unknowingly log in to my Google account.
[09:19.580 --> 09:21.420]  Then you may not know.
[09:21.420 --> 09:23.280]  Most people may not log in to this account.
[09:23.280 --> 09:25.960]  But after he logs in to the attacker's account.
[09:25.960 --> 09:28.080]  He still uses it every day to search.
[09:28.080 --> 09:31.940]  His search records may be recorded.
[09:32.180 --> 09:35.820]  Then the attacker's login account will see this person's search record.
[09:35.820 --> 09:37.280]  Of course, this is not very serious.
[09:37.280 --> 09:39.680]  But it is also a certain degree of privacy disclosure.
[09:39.680 --> 09:41.460]  Including some of the video websites of many websites now.
[09:41.460 --> 09:42.780]  Some browsing records.
[09:42.780 --> 09:44.040]  These are all OK.
[09:44.040 --> 09:45.420]  Then think about it the other way around.
[09:45.420 --> 09:47.000]  If the attacker writes content to you.
[09:47.000 --> 09:47.940]  For example, I open this account.
[09:47.940 --> 09:50.280]  I generate some malicious searches.
[09:50.960 --> 09:52.960]  Then I can even say.
[09:53.180 --> 09:54.660]  When you are using this account.
[09:54.820 --> 09:56.320]  When you are in the input box.
[09:56.460 --> 09:59.200]  That autocomplete is automatically completed.
[09:59.200 --> 10:02.500]  It will recommend some of the content I used to attack the attacker to search.
[10:02.600 --> 10:05.820]  It can achieve a phenomenon of recommending content.
[10:06.600 --> 10:07.820]  An effect.
[10:07.820 --> 10:09.080]  Then there is.
[10:09.080 --> 10:10.220]  You can.
[10:13.180 --> 10:15.300]  Some behaviors can cause fishing.
[10:15.300 --> 10:16.440]  For example, I.
[10:18.480 --> 10:21.060]  You can open a website through email guidance.
[10:21.720 --> 10:23.600]  For example, I control this account now.
[10:24.660 --> 10:27.060]  For example, similar to an e-commerce website.
[10:27.060 --> 10:31.720]  It has an area where my users can write their own notes.
[10:31.720 --> 10:33.240]  But you can put the attacker.
[10:33.240 --> 10:34.740]  You can write a note or something on it.
[10:34.740 --> 10:36.940]  Especially like an official statement.
[10:36.940 --> 10:39.480]  Then you may send an email to guide the user to open it.
[10:39.480 --> 10:40.800]  In fact, at this time, the user opens it.
[10:40.800 --> 10:43.500]  It also sees the official legal domain.
[10:43.500 --> 10:44.940]  Then look at the content.
[10:44.960 --> 10:46.240]  In fact, because it is not its own input.
[10:46.240 --> 10:47.200]  It has no feeling.
[10:47.200 --> 10:48.600]  But in fact, it is my attacker's input.
[10:48.600 --> 10:50.860]  It may think this is an official notice.
[10:50.860 --> 10:52.300]  Then it will be guided by it.
[10:52.300 --> 10:53.480]  Continue to do something.
[10:53.480 --> 10:54.700]  Of course, I will give you an example.
[10:54.700 --> 10:55.980]  That is to say, this content.
[10:56.000 --> 10:57.280]  When you can control the attacker.
[10:57.280 --> 10:59.340]  You can guide the user's behavior.
[10:59.520 --> 11:00.560]  Including this interaction.
[11:00.560 --> 11:02.440]  You can produce some fishing and fraud.
[11:02.440 --> 11:09.340]  Then there is another one.
[11:10.360 --> 11:12.100]  After the user logs into my account.
[11:12.100 --> 11:13.180]  It is used without knowing.
[11:14.240 --> 11:16.560]  It may have some input scenarios.
[11:17.400 --> 11:18.220]  For example.
[11:19.380 --> 11:20.600]  I remember before.
[11:20.720 --> 11:22.840]  PayPal seems to have such a case.
[11:22.840 --> 11:24.000]  That is to say.
[11:24.280 --> 11:27.180]  The user logged into the attacker's PayPal account.
[11:27.900 --> 11:28.780]  Then.
[11:28.800 --> 11:30.100]  When he is paying online.
[11:30.100 --> 11:31.320]  Maybe we need to stop the chest card.
[11:31.320 --> 11:32.160]  Card number.
[11:32.160 --> 11:34.300]  He doesn't know that the current login card number is the attacker.
[11:34.300 --> 11:35.400]  He made an appointment with himself.
[11:35.400 --> 11:37.400]  He entered this chest card card number.
[11:37.400 --> 11:39.740]  Maybe this card number is already in the attacker.
[11:39.740 --> 11:41.640]  In the attacker's own section.
[11:41.640 --> 11:42.860]  You may see this card.
[11:42.860 --> 11:43.680]  Or this account.
[11:43.880 --> 11:45.960]  Has the right to pay for this chest card card number.
[11:47.460 --> 11:48.360]  You include.
[11:48.360 --> 11:49.980]  I can also be some fishing.
[11:49.980 --> 11:50.860]  Send an email to the user.
[11:50.860 --> 11:51.540]  Say.
[11:51.760 --> 11:52.780]  You won the prize.
[11:52.780 --> 11:53.080]  Right.
[11:53.080 --> 11:54.780]  You hurry to fill in a receipt address.
[11:54.900 --> 11:55.420]  But in fact.
[11:55.420 --> 11:56.920]  When the user opens my link.
[11:56.920 --> 11:59.040]  Has already logged into the attacker's account.
[11:59.040 --> 11:59.400]  Then.
[11:59.400 --> 12:01.680]  He also entered a receipt address.
[12:01.700 --> 12:03.060]  I thought I won the prize.
[12:03.060 --> 12:03.880]  In fact.
[12:03.880 --> 12:04.620]  This receipt address.
[12:04.620 --> 12:06.640]  The attacker can also see this receipt address.
[12:08.160 --> 12:09.320]  There are some of the same kind.
[12:09.320 --> 12:09.760]  For example.
[12:09.760 --> 12:10.180]  Privacy.
[12:10.180 --> 12:11.140]  What kind of.
[12:11.680 --> 12:12.320]  Uh.
[12:12.320 --> 12:13.280]  Input schedule.
[12:13.280 --> 12:14.540]  If you can deceive him.
[12:14.540 --> 12:15.200]  To enter this.
[12:15.200 --> 12:16.060]  It is also possible.
[12:16.160 --> 12:18.400]  Get some sensitive information from the other party.
[12:18.980 --> 12:20.280]  What I just said.
[12:20.380 --> 12:21.400]  Our attacker.
[12:21.400 --> 12:22.260]  Controlled account.
[12:22.260 --> 12:23.080]  Or content.
[12:23.080 --> 12:23.800]  With.
[12:24.820 --> 12:26.100]  Some interactions with the victim himself.
[12:26.860 --> 12:27.660]  And then.
[12:27.940 --> 12:28.420]  Uh.
[12:28.420 --> 12:29.040]  These contents.
[12:29.040 --> 12:29.920]  In addition to interacting with him.
[12:30.480 --> 12:31.060]  Uh.
[12:31.060 --> 12:31.960]  He may also.
[12:31.960 --> 12:33.300]  Interact with some third-party websites.
[12:34.860 --> 12:35.580]  Uh.
[12:37.460 --> 12:38.280]  The first.
[12:38.280 --> 12:38.640]  Also.
[12:39.300 --> 12:40.460]  Third-party website.
[12:40.460 --> 12:40.560]  Submit.
[12:40.740 --> 12:41.200]  Attacker.
[12:41.200 --> 12:41.740]  Read.
[12:41.900 --> 12:42.200]  Uh.
[12:42.200 --> 12:42.800]  Third-party website.
[12:42.800 --> 12:43.180]  This.
[12:43.180 --> 12:43.860]  This case.
[12:43.860 --> 12:44.420]  Less.
[12:44.420 --> 12:44.780]  I.
[12:44.800 --> 12:47.240]  A simple one.
[12:47.240 --> 12:47.500]  That is.
[12:47.520 --> 12:48.380]  Third-party websites.
[12:48.380 --> 12:48.700]  Can be understood.
[12:48.700 --> 12:49.080]  For example.
[12:49.080 --> 12:49.500]  A.
[12:49.500 --> 12:49.980]  Call.
[12:50.280 --> 12:50.740]  Uh.
[12:50.740 --> 12:51.320]  I do a.
[12:51.320 --> 12:51.680]  Purple station.
[12:51.780 --> 12:52.460]  SSO station.
[12:52.460 --> 12:52.740]  Now.
[12:53.280 --> 12:53.880]  Delivered to me.
[12:53.880 --> 12:54.300]  That is.
[12:54.300 --> 12:54.880]  I.
[12:55.000 --> 12:55.900]  After this.
[12:55.900 --> 12:57.060]  Single-point login.
[12:57.060 --> 12:58.060]  He gave me a.
[12:58.060 --> 12:58.960]  Verification information.
[12:59.060 --> 12:59.480]  Now.
[12:59.480 --> 12:59.760]  Generally.
[12:59.760 --> 13:00.100]  For example.
[13:00.620 --> 13:01.820]  Passed through the cover.
[13:01.880 --> 13:02.680]  Directly in the parameter.
[13:02.680 --> 13:03.820]  Add such a token.
[13:05.100 --> 13:05.920]  Uh.
[13:06.240 --> 13:07.180]  And then.
[13:07.220 --> 13:07.780]  There is.
[13:07.780 --> 13:08.180]  Now.
[13:08.180 --> 13:08.900]  There is a way to attack.
[13:08.900 --> 13:09.160]  That is.
[13:09.160 --> 13:09.820]  On my page.
[13:09.820 --> 13:10.060]  For example.
[13:10.060 --> 13:10.760]  Sign a picture.
[13:10.760 --> 13:11.120]  I can.
[13:11.120 --> 13:11.960]  Through the method.
[13:11.960 --> 13:13.040]  To read.
[13:13.340 --> 13:14.040]  Current.
[13:14.040 --> 13:15.160]  This page.
[13:15.160 --> 13:16.460]  This URL.
[13:16.900 --> 13:17.360]  But.
[13:17.360 --> 13:18.120]  This.
[13:18.800 --> 13:19.440]  But.
[13:19.440 --> 13:19.980]  This station.
[13:19.980 --> 13:20.720]  This content.
[13:20.720 --> 13:21.960]  Book.
[13:21.960 --> 13:22.180]  Kafka.
[13:22.180 --> 13:22.880]  But.
[13:24.540 --> 13:25.540]  No.
[13:25.540 --> 13:25.800]  No.
[13:27.720 --> 13:28.800]  I'm.
[13:32.580 --> 13:33.660]  Hang.
[13:41.160 --> 13:41.700]  No.
[13:41.700 --> 13:43.040]  I am.
[13:43.040 --> 13:43.060]  No.
[13:43.060 --> 13:43.180]  No.
[13:43.180 --> 13:43.720]  No.
[13:44.080 --> 13:44.120]  No.
[13:44.120 --> 13:44.880]  I am.
[13:46.400 --> 13:46.940]  No.
[13:46.940 --> 13:47.000]  No.
[13:47.000 --> 13:47.700]  I am.
[13:49.160 --> 13:49.320]  No.
[13:49.320 --> 13:49.520]  No.
[13:49.520 --> 13:49.940]  No.
[13:50.060 --> 13:50.600]  My.
[13:50.600 --> 13:50.700]  I will be.
[13:50.700 --> 13:54.140]  For example, if another station wants to use my account,
[13:54.700 --> 13:57.660]  it will use JSONP.
[13:58.140 --> 14:02.000]  If the other side uses JSONP,
[14:02.000 --> 14:04.040]  there will be an XSS bug.
[14:04.140 --> 14:07.900]  But we can't control the content.
[14:07.900 --> 14:11.700]  It's because the content is generated in the user's account.
[14:12.080 --> 14:13.620]  What should we do if we want to control the content?
[14:13.700 --> 14:16.260]  Let him log into my account and I write the content.
[14:16.260 --> 14:19.700]  Maybe we can complete an attack on the third-party website's XSS.
[14:22.900 --> 14:28.040]  There is another way to interact with the third-party.
[14:29.220 --> 14:33.980]  There are many websites that can bind a third-party account to log in.
[14:33.980 --> 14:40.700]  This third-party account can bind Weibo to log in.
[14:40.700 --> 14:46.500]  I can ask the attacker to log into my Weibo account first.
[14:46.500 --> 14:52.140]  Then I will guide him to complete the binding process automatically.
[14:52.140 --> 14:58.380]  Of course, this binding process will require some loopholes to complete the automatic binding.
[14:58.420 --> 15:00.820]  I can ask him to log into Weibo first.
[15:09.520 --> 15:15.460]  For example, the request to log into Weibo may be such a request.
[15:16.800 --> 15:21.860]  Generally speaking, I have seen a lot of requests that basically do not do this CSO protection.
[15:21.940 --> 15:28.100]  After I let the victim log into my Weibo account, I will guide the user to click on this request.
[15:28.100 --> 15:30.420]  Let him visit the page in various forms.
[15:30.420 --> 15:33.720]  Then he will complete the automatic binding of this Weibo account.
[15:34.240 --> 15:37.020]  In fact, he binds my attacker's Weibo account.
[15:37.220 --> 15:41.300]  Then for my attacker, I just need to log in.
[15:41.300 --> 15:44.360]  Then go to this station and use the Weibo account to log in.
[15:44.360 --> 15:46.320]  You can log in to his station.
[15:50.420 --> 15:54.180]  This may require some processes for OAuth.
[15:54.440 --> 15:59.280]  You may understand a little bit about the third-party interaction process.
[15:59.520 --> 16:02.100]  This may take a long time to say.
[16:02.240 --> 16:04.600]  You can take a quick look.
[16:06.560 --> 16:19.040]  Of course, the process of letting the victim automatically complete the binding of Weibo is not that simple.
[16:19.040 --> 16:22.200]  That is to say, that is one of the worst scenarios.
[16:22.800 --> 16:29.700]  In fact, many stations may force you to enter the password of Weibo when binding.
[16:29.700 --> 16:33.480]  Even if your Weibo is logged in, it will still ask you to enter the password.
[16:33.480 --> 16:37.640]  But Weibo has a parameter called false login.
[16:37.640 --> 16:38.700]  It is equal to true or false.
[16:38.700 --> 16:43.160]  You can control whether he is using a password login or a current login type.
[16:43.180 --> 16:48.980]  Then some stations will also put this parameter in the previous link just now.
[16:49.280 --> 16:52.260]  So you may directly guide the user to add this parameter.
[16:52.260 --> 16:56.120]  In fact, it requires you to forcibly use a password again.
[16:56.120 --> 16:59.040]  You can also achieve the same effect.
[17:00.800 --> 17:10.900]  Then there are even some stations that have completed the interaction with Weibo's OAuth.
[17:11.160 --> 17:17.940]  There is no verification of its callback link status.
[17:17.940 --> 17:22.500]  Because the status function in OAuth is a verification.
[17:22.500 --> 17:23.920]  This is a self-token.
[17:23.920 --> 17:31.480]  In order to prevent some attackers from directly using the bound link to let users visit,
[17:31.480 --> 17:33.400]  it can have a status to verify.
[17:33.400 --> 17:36.720]  Verification means that this request is from my original station.
[17:36.720 --> 17:38.820]  It is a legal request.
[17:38.820 --> 17:42.060]  But there are also many stations that do not do this status verification.
[17:42.260 --> 17:47.480]  Then you don't even have to say that I just used the previous complicated process to send a request to the user.
[17:47.480 --> 17:50.520]  It will complete the binding of your Weibo account directly.
[17:51.400 --> 17:53.800]  Then there are some status verification cookies.
[17:53.800 --> 17:55.220]  Verification is put in the cookie.
[17:55.220 --> 17:57.900]  It is also very simple.
[17:59.940 --> 18:06.560]  Similarly, if you find such a site cookie interface, you can directly forge its status.
[18:06.640 --> 18:13.100]  Generally speaking, I think the self-token should be said to have some signature mechanisms generated by your server.
[18:13.100 --> 18:15.140]  It's not that simple.
[18:15.140 --> 18:19.140]  It means that I rely on a value in a cookie to verify.
[18:21.320 --> 18:25.600]  Some stations even put the value in front of the status.
[18:25.600 --> 18:26.880]  The status is put in the back.
[18:26.880 --> 18:29.260]  In this way, users do not need to find the status cookie interface.
[18:29.260 --> 18:36.360]  As long as you can find a function, you can write a value and write the status value into any cookie.
[18:36.360 --> 18:41.640]  You can use the value of the key to be the status value of your verification.
[18:41.640 --> 18:43.320]  Of course, it's a bit messy.
[18:43.320 --> 18:48.780]  That is to say, if it is written in this way, it will be simpler.
[18:48.780 --> 18:51.860]  In terms of tools, you don't need to find a site cookie interface at all.
[18:51.860 --> 18:57.540]  As long as you can control a cookie, for example, I search for a record or a value.
[18:57.540 --> 19:00.380]  As long as you can find another function to control this value, it will be fine.
[19:03.360 --> 19:05.860]  I mentioned this loophole on Wuyun before.
[19:07.800 --> 19:08.840]  I found a station at that time.
[19:08.840 --> 19:10.240]  At least half of the stations have this loophole.
[19:10.240 --> 19:10.840]  Then I mentioned it.
[19:10.840 --> 19:12.780]  Then I went to see it some time ago.
[19:12.780 --> 19:15.540]  Basically, many stations are not well repaired.
[19:15.540 --> 19:17.580]  Or there will be some problems with the repair.
[19:17.580 --> 19:20.200]  There is also a scene here.
[19:20.200 --> 19:26.100]  In fact, the binding of OAuth is a kind of anti-CTOF attack.
[19:26.100 --> 19:30.760]  But many of our users have wrapped their own page in front of them.
[19:32.440 --> 19:34.560]  Wrapped a page similar to that.
[19:34.560 --> 19:40.200]  If you don't do this page, the CTOF protection that OAuth helps you do in the middle will be useless.
[19:40.200 --> 19:43.220]  So you have to do this CTOF protection in the initial situation.
[19:43.220 --> 19:52.550]  What I just said may have something to do with the interaction with third-party websites.
[19:53.170 --> 19:54.210]  There is another one.
[19:55.170 --> 20:00.270]  In fact, the account that the other party logged in to my account is different from the account I use.
[20:00.590 --> 20:02.690]  For example, where is the difference in content?
[20:02.690 --> 20:04.430]  That is to say, the environment is different.
[20:04.650 --> 20:06.010]  The other person's environment is different from mine.
[20:06.010 --> 20:09.610]  Internet, Internet environment, IP, browser are all different.
[20:09.610 --> 20:14.310]  We may be able to use the other person's online environment to make some other breakthroughs.
[20:14.310 --> 20:16.910]  For example, I saw some stations before.
[20:16.910 --> 20:19.450]  For example, there will be some discount activities.
[20:19.650 --> 20:22.150]  Maybe only for employees.
[20:22.370 --> 20:25.190]  Or for certain IP lists.
[20:25.190 --> 20:27.530]  For example, you can't grab the coupon yourself.
[20:27.850 --> 20:30.430]  You can say, let him log in to your account.
[20:30.430 --> 20:34.330]  If there are some basic CTOF loopholes in this coupon-grabbing function,
[20:34.330 --> 20:37.650]  you will cooperate with him to help you complete this coupon-grabbing.
[20:37.870 --> 20:42.610]  Or some requests that can only be realized by the other party's employees or them in the internet.
[20:45.430 --> 20:49.930]  And then there is the interference of Suyuan after the coupon-grabbing.
[20:49.930 --> 20:55.590]  That is to say, if I, as an attacker, grab a coupon,
[20:55.590 --> 20:58.390]  and then I don't dare to use it after I grab it.
[20:58.390 --> 21:02.570]  Because the other party may find out about you based on some logins.
[21:02.570 --> 21:07.430]  And then if I want to interfere with the other party's Suyuan,
[21:07.430 --> 21:11.350]  I can put this account at the same time.
[21:11.870 --> 21:15.150]  For example, if I put this attack method on an online page,
[21:15.150 --> 21:17.750]  let hundreds of thousands of netizens log in to this account,
[21:17.750 --> 21:18.650]  and then I also log in.
[21:18.650 --> 21:21.430]  In this way, you will confuse the other party's Suyuan.
[21:22.170 --> 21:23.730]  This is just an example.
[21:23.730 --> 21:26.410]  Maybe the use of the scene is not very big.
[21:26.410 --> 21:27.590]  No one will do this.
[21:29.530 --> 21:33.470]  And then there is even that I want to maliciously post on the Internet.
[21:35.450 --> 21:37.090]  I don't want to use my identity.
[21:37.090 --> 21:38.630]  I can let the other party log in to my account.
[21:38.630 --> 21:45.030]  And then cooperate with some CSO loopholes or some other loopholes.
[21:45.030 --> 21:47.390]  You can let the other party complete these malicious posts.
[21:47.390 --> 21:49.310]  In this way, you can hide your identity.
[21:55.560 --> 21:56.860]  There is another way.
[21:57.420 --> 22:02.200]  We control the content on the victim's browser.
[22:02.480 --> 22:03.420]  And then this content,
[22:03.420 --> 22:06.740]  it is not just a combination with the victim himself or some websites.
[22:06.800 --> 22:10.280]  It may also be seen by some third-party field factors.
[22:10.820 --> 22:14.280]  For example, his girlfriend is a police officer.
[22:14.280 --> 22:15.780]  How do you say this?
[22:16.200 --> 22:17.260]  Let me give you an example.
[22:17.260 --> 22:24.420]  For example, you and your colleague like another female colleague at the same time, right?
[22:24.680 --> 22:27.100]  And then your colleague caught up.
[22:27.100 --> 22:28.840]  And then you are very unhappy.
[22:29.840 --> 22:33.360]  And then you think of this way.
[22:33.360 --> 22:37.440]  And then let your male colleague log in to your account.
[22:38.220 --> 22:40.240]  I log in to all kinds of accounts on the Internet.
[22:40.240 --> 22:43.040]  Some, for example, publish content, Weibo, all kinds of accounts.
[22:43.320 --> 22:45.600]  And then this account is controlled by me.
[22:45.600 --> 22:49.340]  Some messy, very dirty content is posted on it.
[22:49.340 --> 22:53.320]  And then I told this female colleague that you don't know your boyfriend.
[22:53.320 --> 22:55.460]  In fact, your boyfriend is a pervert.
[22:55.700 --> 22:57.780]  It's a devil, right?
[22:57.780 --> 23:00.300]  And then I don't believe you go to his house.
[23:00.300 --> 23:01.400]  And then his girlfriend.
[23:01.400 --> 23:03.260]  And then go to this male colleague's house.
[23:03.320 --> 23:06.840]  One day I secretly turned on his boyfriend's browser.
[23:06.840 --> 23:11.440]  I suddenly found out that his boyfriend posted these messy content on the front page.
[23:14.740 --> 23:22.480]  Basically, if I let you control your content in many pages on the Chinese website.
[23:22.560 --> 23:25.420]  You basically don't have time to look at them one by one.
[23:25.420 --> 23:27.580]  And most of them are using mobile phones now, right?
[23:27.580 --> 23:30.360]  A browser like this may just work for a while.
[23:30.360 --> 23:31.320]  And then it's over.
[23:31.620 --> 23:32.980]  Of course, this is also an example.
[23:32.980 --> 23:40.680]  I think you can even say that after you have a girlfriend, you want to do more.
[23:40.680 --> 23:41.500]  I'm afraid he'll take it back.
[23:41.500 --> 23:45.160]  You can even frame him for sending some malicious content to the police.
[23:45.160 --> 23:47.580]  Even the police saw it.
[23:47.580 --> 23:50.160]  Of course, I'm not just using this scene as an example.
[23:50.240 --> 23:53.280]  I think it's normal to find a girlfriend.
[23:53.280 --> 23:56.180]  It should be done in a fair and open way.
[23:56.320 --> 23:58.840]  Don't use this way, right?
[23:58.840 --> 23:59.880]  Rich people rely on money.
[23:59.880 --> 24:01.380]  Talented people rely on talent.
[24:02.600 --> 24:06.240]  If you don't have money or talent, you can rely on your looks like me.
[24:08.220 --> 24:12.100]  I know I'm getting fat in the middle of the year now.
[24:12.920 --> 24:14.780]  I've come to realize this problem in the past few years.
[24:20.040 --> 24:21.840]  And then there's another scenario.
[24:22.740 --> 24:27.220]  I used to have a mailbox.
[24:27.240 --> 24:28.360]  It's also a case of miscarriage.
[24:30.320 --> 24:33.900]  Because a person may have a lot of mails in this station.
[24:33.900 --> 24:36.420]  And then this station is for the convenience of the user.
[24:36.420 --> 24:41.020]  That is to say, you can tie another account of your station to a mailbox at the same time.
[24:41.020 --> 24:43.180]  You can manage two mails at the same time.
[24:43.320 --> 24:45.340]  But this is tied to another account.
[24:45.340 --> 24:46.040]  This login interface.
[24:46.040 --> 24:48.680]  Sometimes if you don't do some CSO protection,
[24:48.680 --> 24:53.160]  I can let the other party unknowingly bind my account.
[24:53.160 --> 24:55.340]  In this case, I can log into my account again.
[24:55.340 --> 24:57.180]  You can see the content of the other party's mailbox.
[24:59.020 --> 25:03.500]  And then there are some stations that allow users to bind some third-party accounts.
[25:03.500 --> 25:04.840]  It's not the account of this station.
[25:06.120 --> 25:08.040]  For example, the relationship between these two stations is better.
[25:08.040 --> 25:10.120]  It can be said that the user logs in.
[25:10.120 --> 25:11.120]  You're bound.
[25:11.660 --> 25:13.380]  And then bind another account.
[25:13.380 --> 25:15.000]  You can log in with each other.
[25:15.000 --> 25:16.780]  It's a little bit like this.
[25:17.400 --> 25:19.660]  SSO is a single-point login method.
[25:19.660 --> 25:21.480]  You can also use the previous one.
[25:21.480 --> 25:23.000]  It's similar to the one just now.
[25:23.000 --> 25:25.020]  Binding third-party accounts to log in.
[25:25.020 --> 25:28.260]  If he wants to use the password directly.
[25:28.260 --> 25:30.220]  It can also be used in a similar way.
[25:30.220 --> 25:32.320]  C-SERV login C-SERV
[25:32.320 --> 25:33.940]  This way of attacking.
[25:35.060 --> 25:38.660]  This actually achieves a countdown effect.
[25:39.580 --> 25:41.220]  And the other party may not know yet.
[25:41.220 --> 25:42.700]  Bind your account.
[25:46.090 --> 25:48.190]  And then we have these web pages.
[25:48.190 --> 25:50.890]  Let's go up and think about it.
[25:51.910 --> 25:53.330]  A lot of browsers now.
[25:53.330 --> 25:55.750]  It has a function of an account.
[25:55.750 --> 25:58.130]  It's like a voice browser.
[25:58.130 --> 25:59.810]  And these accounts.
[26:00.850 --> 26:02.090]  After logging in to the account.
[26:02.090 --> 26:04.190]  It will help you synchronize some collectors.
[26:04.190 --> 26:05.690]  Your visit records.
[26:05.830 --> 26:08.310]  Some of them even have your browser configuration.
[26:08.310 --> 26:09.690]  Including even some of your passwords.
[26:09.690 --> 26:11.770]  Now there are synchronized.
[26:11.770 --> 26:13.690]  And then the general browser login.
[26:13.690 --> 26:15.190]  It should be a...
[26:15.950 --> 26:17.390]  You're on the outside.
[26:17.390 --> 26:19.410]  It's not supposed to be a browser login.
[26:19.410 --> 26:20.910]  But now a lot of browsers log in.
[26:20.910 --> 26:23.110]  For the convenience of interaction.
[26:23.110 --> 26:25.590]  Or to integrate some third parties.
[26:25.630 --> 26:26.830]  Now some browsers log in.
[26:26.830 --> 26:29.210]  It will also support some third-party QQ, Weibo.
[26:29.210 --> 26:31.110]  These authorized logins.
[26:31.110 --> 26:32.770]  Its interaction process.
[26:33.670 --> 26:34.730]  I've seen some cases.
[26:34.730 --> 26:35.690]  Some are problematic.
[26:35.690 --> 26:37.470]  You can fake some requests.
[26:37.910 --> 26:42.050]  Let it open the request in the browser.
[26:42.050 --> 26:42.610]  Log in.
[26:42.610 --> 26:43.910]  And then it's done.
[26:43.910 --> 26:45.910]  This is the effect of a browser login.
[26:46.710 --> 26:49.370]  Once you control its browser in this way.
[26:49.370 --> 26:50.150]  Some of its malicious...
[26:52.890 --> 26:53.450]  These...
[26:54.370 --> 26:55.670]  From a reading point of view.
[26:55.670 --> 26:57.730]  You can look at some of its collectors.
[26:57.730 --> 26:59.270]  Its visit records.
[26:59.330 --> 27:00.490]  From a writing point of view.
[27:00.490 --> 27:02.410]  You can write some malicious plug-ins.
[27:06.200 --> 27:07.480]  Of course, this...
[27:08.260 --> 27:09.800]  I won't go into the details of this loophole.
[27:10.060 --> 27:10.620]  I...
[27:11.380 --> 27:12.360]  To prepare.
[27:12.360 --> 27:14.580]  I've seen about ten browsers.
[27:14.580 --> 27:16.740]  One or two of them can be realized.
[27:16.840 --> 27:18.080]  And then the others.
[27:18.760 --> 27:20.200]  There may be more.
[27:20.200 --> 27:21.980]  Other aspects of the loophole can be realized.
[27:22.280 --> 27:22.840]  This attack.
[27:22.840 --> 27:24.380]  Of course, there is the most common way.
[27:24.460 --> 27:26.200]  I just log in from his computer.
[27:26.560 --> 27:28.440]  Because a lot of people use browsers.
[27:28.440 --> 27:29.280]  It doesn't have to be tied up.
[27:29.280 --> 27:30.380]  You tie it up for him.
[27:30.380 --> 27:31.880]  He may not be able to see it.
[27:35.700 --> 27:38.380]  And then there are some attacks like Apple.
[27:42.380 --> 27:43.220]  Like some...
[27:43.900 --> 27:45.360]  Apple's ability is stronger.
[27:45.360 --> 27:46.480]  He can talk to you.
[27:46.480 --> 27:48.840]  Some photos of local storage.
[27:49.740 --> 27:51.520]  Some files are operated.
[27:51.520 --> 27:53.360]  You may have some interactions with Apple.
[27:53.540 --> 27:55.760]  If you can control the other party.
[27:55.760 --> 27:56.900]  For example, the type of network disk.
[27:56.900 --> 27:58.100]  What kind of notebook.
[27:58.660 --> 28:01.020]  You can control the other party's account.
[28:01.020 --> 28:02.740]  Some of his privacy information.
[28:02.740 --> 28:05.400]  Including pictures may be synchronized with you.
[28:06.100 --> 28:07.440]  And then.
[28:07.440 --> 28:09.100]  How to attack.
[28:09.100 --> 28:10.520]  I've seen it.
[28:11.380 --> 28:13.580]  Some apps are now.
[28:13.580 --> 28:16.620]  In the open WebView.
[28:16.620 --> 28:18.300]  If you log in.
[28:18.300 --> 28:20.460]  He will also complete the login of this app.
[28:20.480 --> 28:21.960]  They are a shared.
[28:22.080 --> 28:23.400]  Storage quality.
[28:23.400 --> 28:25.180]  There are some other apps.
[28:25.180 --> 28:27.680]  For example, other products of the same company.
[28:28.020 --> 28:29.380]  Some logins.
[28:29.380 --> 28:30.800]  He will have some interfaces.
[28:30.800 --> 28:33.280]  Some of those interfaces.
[28:33.460 --> 28:35.340]  The quality that can be transmitted.
[28:35.740 --> 28:38.180]  As long as you can guide.
[28:38.360 --> 28:39.360]  Through some WebView links.
[28:39.360 --> 28:41.040]  Guide him to open such.
[28:41.040 --> 28:42.140]  Scheme.
[28:42.600 --> 28:44.560]  It is also possible to give him a quality.
[28:44.560 --> 28:45.780]  Complete the login of your account.
[28:52.350 --> 28:54.330]  Then there is a kind of background configuration.
[28:54.330 --> 28:56.110]  There are some management backgrounds.
[28:56.210 --> 28:58.570]  For example, he can match some FTP accounts.
[28:58.590 --> 28:59.650]  Or some.
[29:00.290 --> 29:02.290]  Memory cache accounts.
[29:02.610 --> 29:04.650]  These accounts are actually his.
[29:04.650 --> 29:06.890]  It's just a user password.
[29:06.890 --> 29:07.350]  This account.
[29:07.630 --> 29:09.270]  If this request is not done.
[29:09.270 --> 29:11.950]  If you know his features.
[29:11.950 --> 29:13.390]  For example, open source software.
[29:13.390 --> 29:16.170]  You know the details of such implementation.
[29:16.170 --> 29:17.290]  You can send him one.
[29:17.290 --> 29:19.170]  Such a request.
[29:19.190 --> 29:20.290]  He may be a manager.
[29:20.290 --> 29:22.090]  He bound your village account.
[29:22.090 --> 29:23.130]  He may not even know.
[29:23.130 --> 29:24.590]  He may also use the website normally.
[29:24.590 --> 29:26.050]  He is actually using your.
[29:26.050 --> 29:27.870]  A remote back-end server.
[29:28.290 --> 29:29.670]  But these contents.
[29:29.670 --> 29:31.130]  Have been seen by you.
[29:31.130 --> 29:32.570]  You can read and write.
[29:39.700 --> 29:42.160]  And now there are some routers.
[29:42.160 --> 29:44.480]  Also realized some cloud account management.
[29:45.740 --> 29:47.120]  If the router.
[29:47.240 --> 29:48.420]  If the mobile account.
[29:49.000 --> 29:50.740]  In fact, the attack.
[29:51.740 --> 29:54.020]  From a reading point of view.
[29:54.020 --> 29:54.720]  Relatively limited.
[29:54.720 --> 29:56.000]  I can read your.
[29:57.060 --> 29:58.720]  Some online equipment information.
[29:58.880 --> 30:00.380]  And then from a writing point of view.
[30:00.380 --> 30:02.220]  You can change your DNS.
[30:02.880 --> 30:03.680]  Change DNS.
[30:03.680 --> 30:05.200]  This is JTDNS.
[30:05.200 --> 30:06.160]  This is more harmful.
[30:06.160 --> 30:07.120]  Can be controlled.
[30:07.220 --> 30:09.000]  And then read this one.
[30:11.620 --> 30:13.240]  In fact, the harm.
[30:13.480 --> 30:14.560]  Is not big.
[30:14.560 --> 30:15.580]  Know one.
[30:15.920 --> 30:17.340]  Know one.
[30:17.340 --> 30:19.120]  For example, you.
[30:19.360 --> 30:20.660]  You and your girlfriend.
[30:21.400 --> 30:22.740]  After configuration.
[30:23.060 --> 30:25.080]  Bought a router.
[30:25.080 --> 30:26.840]  You configure your cloud account for her.
[30:29.000 --> 30:30.040]  You.
[30:30.160 --> 30:31.140]  Look at her.
[30:31.340 --> 30:32.400]  Watch her every day.
[30:32.400 --> 30:33.860]  This is called online terminal information.
[30:33.860 --> 30:35.580]  In fact, it feels like nothing has been leaked.
[30:36.700 --> 30:38.320]  But you have to think about it.
[30:38.420 --> 30:39.760]  If one day at night.
[30:39.760 --> 30:40.840]  When you just went to bed.
[30:41.140 --> 30:42.800]  Open this cloud account again.
[30:43.180 --> 30:44.540]  Suddenly see above.
[30:44.540 --> 30:45.500]  There is an online terminal.
[30:45.500 --> 30:48.500]  For example, what is called Wang Xiaogang's iPhone.
[30:49.340 --> 30:51.560]  But you may be a little confused.
[30:51.560 --> 30:53.280]  Why is your girlfriend's house online?
[30:53.620 --> 30:55.340]  Obviously an iPhone with a man's name.
[30:55.880 --> 30:56.800]  That is to say.
[30:56.800 --> 30:57.900]  Maybe this equipment name.
[30:57.900 --> 30:58.480]  It doesn't count.
[30:58.480 --> 31:00.780]  But it may be in a specific scene.
[31:00.780 --> 31:02.020]  It may leak.
[31:02.020 --> 31:03.940]  A very important piece of information.
[31:03.940 --> 31:07.380]  Or some stories behind it.
[31:09.700 --> 31:10.760]  Of course, some people say.
[31:10.760 --> 31:11.900]  Your scene is useless to me.
[31:11.900 --> 31:12.900]  I am a technical man.
[31:12.900 --> 31:14.240]  How could I have a girlfriend?
[31:15.140 --> 31:16.900]  But in our case today.
[31:16.900 --> 31:17.620]  You have a girlfriend.
[31:17.620 --> 31:20.480]  You just grabbed a girlfriend from the previous colleague.
[31:26.960 --> 31:27.940]  In the same way.
[31:28.300 --> 31:29.580]  You go out again.
[31:29.580 --> 31:31.160]  In addition to 6.7.
[31:31.160 --> 31:33.240]  Now there are a lot of smart homes.
[31:34.200 --> 31:35.300]  Originally this smart home.
[31:35.300 --> 31:36.300]  The whole internet is used.
[31:36.300 --> 31:39.000]  But everyone is still for some convenience of life.
[31:39.000 --> 31:40.420]  Let him use some cloud accounts.
[31:40.420 --> 31:42.480]  Will synchronize these information to the cloud.
[31:43.240 --> 31:44.600]  For example, the camera.
[31:44.600 --> 31:46.480]  If you log in to this account.
[31:46.480 --> 31:49.480]  You can watch the other person's content remotely.
[31:49.600 --> 31:50.500]  You include.
[31:51.000 --> 31:52.820]  Now even some weight scales.
[31:52.820 --> 31:54.200]  He has a cloud account.
[31:54.200 --> 31:57.340]  Let you observe your weight changes every day.
[31:57.340 --> 31:58.080]  Some.
[31:58.660 --> 32:00.560]  Give you some weight loss.
[32:00.560 --> 32:02.080]  Some training plans.
[32:02.080 --> 32:04.780]  The same logic just now.
[32:04.780 --> 32:06.200]  Everyone wants to say.
[32:06.760 --> 32:07.660]  For example.
[32:07.660 --> 32:09.040]  Buy a weight scale for your girlfriend.
[32:09.040 --> 32:10.540]  Help her match your account.
[32:10.580 --> 32:13.660]  Then you look at your girlfriend's weight every day.
[32:13.880 --> 32:14.980]  Very happy.
[32:15.020 --> 32:17.500]  Watch her lose weight every day.
[32:17.500 --> 32:19.180]  Think about what she has done for me.
[32:19.540 --> 32:20.560]  Afraid of losing me.
[32:20.560 --> 32:21.640]  Lose weight there every day.
[32:21.960 --> 32:23.860]  But you suddenly find out one day.
[32:23.860 --> 32:25.060]  There is a weight above.
[32:25.480 --> 32:27.540]  For example, 80 kg.
[32:28.340 --> 32:29.480]  You think about this scene.
[32:29.480 --> 32:30.720]  Do you think it's terrible?
[32:30.720 --> 32:33.460]  Why at 7 o'clock in the morning.
[32:33.460 --> 32:35.040]  There is a weight of 80 kg.
[32:35.380 --> 32:36.360]  This behavior.
[32:39.700 --> 32:41.900]  Of course, this kind of attack.
[32:41.960 --> 32:43.400]  It's not that simple.
[32:43.400 --> 32:45.040]  Either by archiving.
[32:45.040 --> 32:46.080]  There is another way.
[32:46.520 --> 32:47.940]  He will have some.
[32:47.940 --> 32:49.520]  In the process of binding accounts.
[32:50.100 --> 32:51.880]  There may be some loopholes.
[32:51.880 --> 32:53.380]  I didn't take a close look at this one.
[32:53.380 --> 32:55.380]  But I used one or two.
[32:55.380 --> 32:57.740]  I think it is possible to achieve an attack.
[33:02.290 --> 33:03.470]  What I just said.
[33:03.470 --> 33:05.670]  Are the users' attacker accounts.
[33:05.670 --> 33:06.730]  Some ordinary content.
[33:06.730 --> 33:08.550]  How to control some ordinary content.
[33:08.550 --> 33:10.910]  If my attacker's account.
[33:11.730 --> 33:13.630]  The content written in the net.
[33:13.810 --> 33:15.710]  If there are some bigger privileges.
[33:15.710 --> 33:16.510]  For example.
[33:17.010 --> 33:19.210]  There are still some XSS loopholes.
[33:19.750 --> 33:21.950]  This is generally called.
[33:21.950 --> 33:23.390]  Generally speaking.
[33:23.390 --> 33:24.010]  For example.
[33:25.610 --> 33:26.070]  For example.
[33:26.070 --> 33:27.250]  The content of the acquisition address.
[33:28.810 --> 33:31.210]  If there is a XSS loophole in the display of the acquisition address.
[33:31.210 --> 33:32.610]  This kind of XSS loophole.
[33:32.610 --> 33:33.730]  We generally call it self-XSS.
[33:33.730 --> 33:34.510]  That is to say.
[33:34.530 --> 33:38.510]  You can only see this XSS after you log in.
[33:38.710 --> 33:40.510]  You can't attack others.
[33:40.710 --> 33:43.050]  If I want to attack others.
[33:43.050 --> 33:43.750]  I can only say.
[33:43.750 --> 33:45.250]  Let the other party log into my account.
[33:45.250 --> 33:46.790]  He can see this XSS.
[33:46.790 --> 33:47.830]  But this XSS.
[33:47.830 --> 33:51.070]  If you steal a cookie.
[33:51.070 --> 33:53.210]  Or the resource of operating this account.
[33:53.350 --> 33:54.250]  That is meaningless.
[33:54.250 --> 33:55.790]  Because this is your account.
[33:56.190 --> 33:57.790]  So it doesn't make sense for you to send it to the other party.
[33:58.370 --> 33:59.370]  But.
[33:59.890 --> 34:00.810]  XSS.
[34:00.950 --> 34:03.070]  It's not just stealing cookies.
[34:03.330 --> 34:05.890]  It's just how everyone uses it now.
[34:05.970 --> 34:07.770]  It can do a lot of other things.
[34:07.770 --> 34:08.550]  For example.
[34:08.590 --> 34:09.830]  Operate the storage of the browser.
[34:10.910 --> 34:13.170]  It can attack other stations.
[34:13.170 --> 34:13.610]  Including.
[34:13.610 --> 34:16.170]  It can achieve a fishing effect.
[34:16.170 --> 34:16.490]  Including.
[34:16.490 --> 34:18.710]  It can also steal some information from other stations.
[34:20.190 --> 34:21.610]  Some sensitive information.
[34:22.170 --> 34:22.830]  Of course.
[34:22.830 --> 34:26.690]  This kind of attack also requires the other party to log into our account first.
[34:28.370 --> 34:29.210]  Then.
[34:29.210 --> 34:30.050]  Think about it.
[34:30.270 --> 34:31.830]  This is more intense.
[34:31.830 --> 34:34.390]  Self-XSS can achieve those attacks.
[34:34.510 --> 34:35.670]  Self-XSS.
[34:35.670 --> 34:37.670]  I don't think it's accepted in some SACs.
[34:37.710 --> 34:38.470]  Or DUA.
[34:38.470 --> 34:39.930]  Some don't even accept it.
[34:40.590 --> 34:42.690]  But if this Self-XSS.
[34:42.690 --> 34:44.250]  Let the other party log into my account.
[34:44.250 --> 34:45.270]  What can it do?
[34:45.270 --> 34:46.370]  For example.
[34:47.770 --> 34:48.770]  Let it.
[34:48.770 --> 34:49.050]  For example.
[34:52.190 --> 34:54.190]  Let it log into my station.
[34:54.190 --> 34:54.730]  Then.
[34:54.730 --> 34:56.650]  This station has a Self-XSS.
[34:56.770 --> 34:57.630]  I can.
[34:57.990 --> 34:59.950]  Under the pretext of Website.com.
[35:00.470 --> 35:01.870]  You can plant any cookie.
[35:01.870 --> 35:04.050]  If there is a station.
[35:04.050 --> 35:05.810]  Website.com.
[35:06.110 --> 35:08.290]  It has a cookie-based Self-XSS.
[35:08.970 --> 35:10.290]  Cookie-based Self-XSS.
[35:10.290 --> 35:11.730]  So that I can use it.
[35:11.730 --> 35:13.030]  This whole process.
[35:13.030 --> 35:14.770]  It forms a.
[35:14.770 --> 35:17.130]  B.website.com.
[35:17.270 --> 35:19.770]  A cross-section similar to a reflective cross-section.
[35:20.050 --> 35:21.970]  This is what I used to be.
[35:24.730 --> 35:25.770]  QQ.
[35:25.890 --> 35:27.630]  I found it over there.
[35:27.630 --> 35:29.590]  Because the WAF over there.
[35:29.590 --> 35:30.770]  The reflective cross-section.
[35:30.770 --> 35:32.070]  It's all very well protected.
[35:32.070 --> 35:33.490]  And then maybe on some.
[35:33.730 --> 35:36.110]  There may be no protection on the storage.
[35:36.150 --> 35:37.590]  And then you can only use one.
[35:37.590 --> 35:38.790]  In a very complicated way.
[35:38.790 --> 35:41.090]  To achieve a XSS attack.
[35:41.610 --> 35:42.930]  And then you can also.
[35:43.270 --> 35:45.030]  You can also go to the front end browser.
[35:45.030 --> 35:46.690]  For example, local storage.
[35:46.690 --> 35:48.150]  You can write something in it.
[35:49.030 --> 35:50.790]  Some stations are in local storage.
[35:50.790 --> 35:52.050]  There is no block user.
[35:52.110 --> 35:53.790]  That is, I can say.
[35:53.790 --> 35:54.810]  Let it log into my account.
[35:54.810 --> 35:56.030]  After I finish writing something.
[35:56.030 --> 35:57.410]  I will launch this account.
[35:57.410 --> 35:58.750]  And then when the user logs in.
[35:58.750 --> 36:00.230]  It may be from this storage.
[36:02.310 --> 36:04.630]  Some functions on the page may show.
[36:04.630 --> 36:05.670]  The content of this storage.
[36:05.850 --> 36:08.030]  But this content is what I used to control.
[36:08.250 --> 36:10.050]  It can also be achieved in a similar way.
[36:10.050 --> 36:10.850]  There is a fishing.
[36:10.850 --> 36:11.970]  Even some.
[36:11.970 --> 36:13.510]  If it is rendered in a problem.
[36:13.510 --> 36:15.510]  Some XSS attacks may be achieved.
[36:20.080 --> 36:21.780]  And then there is a very simple one.
[36:21.860 --> 36:23.700]  There is a peer-to-peer strategy attack.
[36:23.700 --> 36:25.200]  That is, I have two stations.
[36:25.200 --> 36:30.580]  At the same time, we set the document.domain to root.
[36:30.580 --> 36:31.620]  If it is equal to root.
[36:31.620 --> 36:33.620]  We can implement.
[36:34.240 --> 36:36.340]  The operation of peer-to-peer JS.
[36:37.500 --> 36:39.500]  So I have a.
[36:39.500 --> 36:41.240]  A station of cipher XSS.
[36:41.240 --> 36:43.260]  I can actually.
[36:43.260 --> 36:44.000]  It may be.
[36:44.000 --> 36:45.420]  Control a station of B.
[36:45.980 --> 36:47.100]  XSS.
[36:51.140 --> 36:52.940]  Then there is fishing.
[36:52.940 --> 36:54.220]  That is, I may.
[36:54.680 --> 36:55.580]  There is no.
[36:56.700 --> 36:57.660]  Those loopholes just now.
[36:58.000 --> 36:59.120]  I can.
[36:59.320 --> 37:00.480]  Directly control this content.
[37:00.480 --> 37:02.660]  Let it not directly log into my account.
[37:03.860 --> 37:04.520]  For example.
[37:05.360 --> 37:06.940]  The other party logs into the account.
[37:07.380 --> 37:07.940]  XSS.
[37:07.940 --> 37:10.480]  Tell you what the password is dangerous.
[37:10.480 --> 37:10.980]  Please modify.
[37:10.980 --> 37:12.220]  Or your account is at risk.
[37:12.260 --> 37:13.680]  Please modify the new password.
[37:13.680 --> 37:14.600]  Then the other party.
[37:14.900 --> 37:17.040]  He may not necessarily go to the upper right corner at this time.
[37:17.040 --> 37:17.820]  Or where.
[37:17.820 --> 37:19.180]  What is the name of this log in account.
[37:19.400 --> 37:21.640]  He may quickly modify the password.
[37:21.640 --> 37:23.460]  In fact, you may be able to steal the password at this time.
[37:23.760 --> 37:25.760]  You can also talk about some more content.
[37:25.760 --> 37:27.140]  You can do some.
[37:28.720 --> 37:30.020]  Similar to fraud.
[37:30.800 --> 37:32.380]  I don't know if everyone has seen it.
[37:32.380 --> 37:32.840]  There is a.
[37:33.220 --> 37:35.580]  There was a movie a while ago.
[37:35.800 --> 37:37.660]  There are several children in it.
[37:37.660 --> 37:40.020]  Is the account of the big boss.
[37:40.460 --> 37:41.720]  After receiving his password.
[37:41.720 --> 37:42.620]  After going in.
[37:44.820 --> 37:46.000]  In the game scene.
[37:46.000 --> 37:48.320]  Modified the big boss exit.
[37:48.500 --> 37:49.980]  Similar to an exit scene.
[37:50.000 --> 37:51.520]  In fact, the big boss saw the scene.
[37:51.520 --> 37:52.560]  It's not true.
[37:52.600 --> 37:56.120]  They both used the same account.
[37:56.220 --> 37:57.840]  Then this side is.
[37:58.260 --> 38:00.460]  The whole interface of his exit game.
[38:00.660 --> 38:01.380]  All changed.
[38:01.880 --> 38:04.220]  Let the big boss think he was kidnapped.
[38:04.220 --> 38:05.320]  Then put.
[38:06.120 --> 38:06.980]  I forgot the content.
[38:06.980 --> 38:08.760]  Anyway, this kind of fraud was realized.
[38:14.200 --> 38:15.240]  Then.
[38:15.240 --> 38:16.140]  Uh.
[38:17.560 --> 38:18.580]  Self-test.
[38:18.580 --> 38:19.820]  You can also steal some other information.
[38:21.320 --> 38:22.440]  We call it.
[38:22.440 --> 38:24.820]  This example of SSO.
[38:25.240 --> 38:26.220]  Generally speaking, SSO.
[38:26.220 --> 38:27.280]  After you log in from SSO.
[38:28.160 --> 38:30.600]  Most of them are now through this.
[38:31.680 --> 38:32.600]  Uh.
[38:32.720 --> 38:33.960]  Get the way.
[38:34.080 --> 38:35.100]  For example.
[38:35.260 --> 38:38.620]  You send him a single-point login request.
[38:38.620 --> 38:40.200]  Say I want to log in to this page.
[38:40.200 --> 38:42.160]  You help me see if it is logged in.
[38:42.160 --> 38:43.520]  Then he tells you that it is logged in.
[38:43.520 --> 38:44.780]  Then send you a ticket.
[38:45.440 --> 38:46.060]  Uh.
[38:46.180 --> 38:48.060]  If it comes from SSO.
[38:48.720 --> 38:50.880]  The premise is that the other party has logged in to our account.
[38:51.060 --> 38:51.820]  Then.
[38:52.280 --> 38:53.420]  But his SSO.
[38:53.420 --> 38:54.880]  It's still his own account.
[38:54.880 --> 38:55.740]  Generally, this kind of war.
[38:55.740 --> 38:58.040]  Separate from the SSO.
[38:59.680 --> 39:00.680]  In this case.
[39:00.680 --> 39:01.560]  If it's separated.
[39:02.020 --> 39:02.480]  Uh.
[39:02.480 --> 39:04.700]  The other party put his own account.
[39:04.700 --> 39:07.140]  Uh.
[39:08.120 --> 39:10.920]  Uh.
[39:13.180 --> 39:15.760]  Uh.
[39:19.300 --> 39:20.740]  Uh.
[39:20.740 --> 39:21.960]  Uh.
[39:21.960 --> 39:22.800]  Uh.
[39:22.800 --> 39:23.540]  Uh.
[39:23.540 --> 39:23.640]  Uh.
[39:23.640 --> 39:25.960]  Uh.
[39:27.040 --> 39:27.100]  Uh.
[39:27.100 --> 39:28.180]  Uh.
[39:28.180 --> 39:29.180]  Uh.
[39:29.740 --> 39:30.420]  Uh.
[39:30.420 --> 39:32.140]  Uh.
[39:33.160 --> 39:39.500]  You can read the Ticket parameter from the Login page.
[39:47.710 --> 39:50.730]  You can read the Ticket parameter from the Login page.
[39:50.730 --> 39:53.590]  There is another situation.
[39:54.290 --> 39:57.250]  It is a more perfect way to do it.
[39:57.390 --> 40:01.170]  After receiving the Ticket through the middle page,
[40:01.370 --> 40:03.850]  I can jump to the target page through 302.
[40:04.730 --> 40:13.270]  At this time, CFXSS doesn't have a chance to get the Ticket value.
[40:13.590 --> 40:17.730]  Because there is no Ticket in the front page,
[40:17.730 --> 40:19.010]  and you can't even read the Refer.
[40:19.190 --> 40:22.150]  Because the 302 jump is to pass the Refer in front,
[40:22.150 --> 40:24.370]  not the Refer in the middle of the Login page.
[40:26.850 --> 40:30.150]  At this time, I did this in a previous attack.
[40:30.150 --> 40:33.130]  I did it this way.
[40:33.530 --> 40:42.890]  You can use CFXSS to move a cookie in the supermarket,
[40:42.890 --> 40:52.950]  and then use iFrame to guide it to issue a single-point login request.
[40:53.150 --> 40:56.430]  When the single-point login is passed to the Ticket in the middle page,
[40:56.430 --> 41:04.110]  it is already in the supermarket cookie.
[41:04.550 --> 41:08.030]  If you know, there is a rejection service called supermarket cookie.
[41:08.330 --> 41:12.930]  If the cookie is too long, the server will report it wrongly.
[41:12.930 --> 41:14.930]  This page will fail to load.
[41:14.930 --> 41:19.230]  It won't go to my target page anymore.
[41:20.070 --> 41:24.530]  At this time, we can use ContainerWindows.Location
[41:24.530 --> 41:31.150]  to read the content of the URL page in the current iFrame.
[41:35.050 --> 41:36.810]  There is also an advantage of this method.
[41:36.810 --> 41:39.310]  The simple way is to say that we stole the Ticket.
[41:39.550 --> 41:42.850]  If some accounts do this kind of Ticket anti-repetition,
[41:42.850 --> 41:45.370]  after the other party uses the Ticket,
[41:45.370 --> 41:47.790]  even if you steal it, it will fail if you use it again.
[41:47.870 --> 41:49.210]  If you steal it in this way,
[41:49.210 --> 41:57.370]  it means that the Ticket in the middle of the login page is not used.
[41:57.370 --> 41:59.950]  Because this request has already failed.
[41:59.950 --> 42:03.870]  So the Ticket you stole at this time is still valid.
[42:05.950 --> 42:09.390]  So from the case just now,
[42:09.390 --> 42:12.570]  this kind of accumulated loophole,
[42:12.570 --> 42:15.530]  if you cooperate with the other party to log into my account,
[42:15.530 --> 42:18.790]  in fact, it can produce a lot of attack scenarios.
[42:20.530 --> 42:21.630]  That is to say,
[42:21.630 --> 42:26.550]  this kind of ineffective attack on some stolen cookies or operating resources is useless.
[42:31.140 --> 42:33.760]  And this is the picture I put in the beginning.
[42:33.760 --> 42:37.420]  That is to say, from different dimensions,
[42:37.420 --> 42:40.620]  from writing content to reading content to your content,
[42:40.620 --> 42:44.200]  does it have a greater code execution ability?
[42:44.200 --> 42:45.680]  And then combined with different scenarios,
[42:45.680 --> 42:49.660]  there will be some attacks in different scenarios.
[42:56.700 --> 43:02.540]  And this kind of attack is not to tell everyone how to do some bad things.
[43:02.540 --> 43:04.760]  That is to say, this kind of way,
[43:04.760 --> 43:06.900]  that is to say, to tell everyone that there may be this kind of attack,
[43:06.900 --> 43:09.280]  it will bring some harm.
[43:09.280 --> 43:14.320]  And these attacks all take advantage of some very small loopholes.
[43:14.320 --> 43:15.500]  Basically, these loopholes,
[43:16.260 --> 43:18.420]  I may not be able to mention them to others.
[43:18.420 --> 43:21.140]  I can't say that you didn't do CSS protection for a login form,
[43:21.140 --> 43:24.620]  or some things that your page transmitted with GET.
[43:25.120 --> 43:26.640]  That is to say, it's hard to mention.
[43:26.640 --> 43:28.540]  These are all very small loopholes.
[43:28.540 --> 43:32.080]  But these loopholes are usually very easy to fix.
[43:32.080 --> 43:35.100]  Because it can be combined with many different loopholes,
[43:35.100 --> 43:37.740]  it may pose a great threat to the user.
[43:37.980 --> 43:42.620]  And try to be as sensitive as possible,
[43:42.620 --> 43:49.020]  or some of them, including the user name display in the upper right corner,
[43:49.020 --> 43:52.420]  may be a little more eye-opening.
[43:52.420 --> 43:55.220]  That is to let the user know that when I am operating,
[43:55.220 --> 43:56.400]  I am currently logging in.
[43:56.400 --> 43:58.440]  Is it my own account?
[44:00.200 --> 44:04.860]  Then there are some CSS protection, including login form,
[44:04.860 --> 44:09.100]  even some requests for SSO and third-party interaction,
[44:10.060 --> 44:12.600]  including even the request to exit the login.
[44:12.960 --> 44:15.640]  For example, some CSS protection must be done.
[44:20.160 --> 44:23.120]  Even some of them may not be external scenarios,
[44:23.120 --> 44:24.420]  such as the app end.
[44:24.520 --> 44:27.000]  For example, if someone gives you a certificate,
[44:27.000 --> 44:28.880]  you must educate which source.
[44:30.260 --> 44:32.200]  This is actually a very important principle in security,
[44:32.200 --> 44:33.620]  which is basically called certification.
[44:33.620 --> 44:36.320]  That is, whoever gives you something must have a basic certification.
[44:36.320 --> 44:41.740]  Whether you are through some password or some...
[44:41.740 --> 44:43.740]  I think the password may not be enough.
[44:43.740 --> 44:45.020]  At least it should be basic.
[44:45.640 --> 44:46.580]  In general, for certification,
[44:46.580 --> 44:48.040]  you basically need to do a signature certification
[44:48.040 --> 44:49.840]  to confirm that it was sent by the other party.
[44:49.840 --> 44:50.560]  If it is not sent by the other party,
[44:50.560 --> 44:52.980]  it may be used by some attack scenarios.
